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Adversary Threat Tactics are Changing 


Early 2010s 
Zero-day Vulnerabilities 


(Nation State, Industrial Espionage, Black Market) 


Today 
Rapidly weaponizing newly-disclosed vulnerabilities 
(Good, Fast, Cheap - Pick 3) 
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Known Critical Vulnerabilities are Increasing 


14-16K vulnerabilities are 
disclosed 2017-2019 


30-40% are ranked as “High” or 
“Critical” severity 


Worm-able Vulnerabilities are 
increasing (WannaCry, 
BlueKeep) 


2014 2015 2016 2017 2018 2019 
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"Mean Time to Weaponize" is 
rapidly decreasing year/year 


Time to Weaponize 


WannaCry 
BlueKeep 


Citrix ADC 
CurveBall 


Crypt32.dll 


Vuln Disclosure 


March 2017 


May 2019 


Dec 2019 


Jan 2020 


Exploit Date Time 


First Exploit Type 


May 2017* 2 months Ransomware 


Nov 2019 6 months Cryptominer 


Jan 2020 1 month Cryptominer 


Јап 2020 
(PoC) 


Get Proactive - Reduce the Attack Surface 


Oo Immediately discover assets and vulnerabilities 
e Patch and verify remediation 
Change configuration to limit unauthorized access 


Control network access / cloud security groups 


Add Endpoint Detection and Response 
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Proactively Hunt, Detect, and Respond 


Indication of | | 
Compromise MR Security Analytics 


(Summer 2020) 


Detect malware, IOCs, 


IOAs, and verify threat intel Augment SIEMs by finding 


attacks using behavioral 
analytics and MITRE ATT&CK 
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Qualys IOC - Hunt Using Threat Intel 


NotPetya Ransomware spreading using ETERNALBLUE Vulnerability and Credential Stealing 


October 6, 2017 


On June 27, 2017, NCCIC [13] was notified of Petya malware events occurring in multiple countries and 
affecting multiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files 
with extensions from a hard-coded list. 


Additionally, if the malware gains administrator rights, it encrypts the master boot record (MBR), making 
the infected Windows computers unusable. NotPetya differs from previous Petya malware primarily in 
its propagation methods using the ETERNALBLUE vulnerability and credential stealing via a modified 
version of Mimikatz. 


Technical Details 


Anti-Virus Coverage 
VirusTotal reports 0/66 anti-virus vendors have signatures for the credential stealer as of the 
date of this report 


Delivery - MD5: 71b6a493388e7d0b40c83ce903bc6b04 
Installation - MDS: 7e37ab34ecdcc3e77e24522ddfd4852d 
Credential Stealer (new) — MDS: d926e76030f19f1f7ef0b3cd1a4e80f9 
es 
Secondary Actions 
NotPetya leverages multiple propagation methods to spread within an infected network. 
According to malware analysis, NotPetya attempts the lateral movement techniques below: 


e Threat intelligence lists attack 
information ... 


e Search for the file hash here... 


@ Qualys. Enterpri 


Indication of Compromise DASHBOARD HUNTING 


Hunting 


Qualys Demo (quays_qd) 


d926e76030F 19fF 1 f7efOb3cdla4e8OF9 


Last 7 Days "v 


NO REMAINING FILTERS 
OBJECT 


svvchost.exe 
14 2 


swchost.exe 


© Find the object there. 


ASSET 


«a WIN2008R2-11566 


«a WIN7-320860-T44 
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Detect Malware Missed by Anti-Virus 


UK Government Contractor 

“Big 4” anti-virus installed 

Qualys Agent for Vulnerability Mgmt 
- Added Qualys IOC on existing agents 
- 256 hosts 


Qualys IOC discovered... 
Dridex Banking Trojan (51) 
- 4domain controllers infected 
- Backdoors (7) installed due to 
phishing campaigns 
- Netcat (8) root kits installed 
- 46 PUAs installed 


DRIDEX BANKING TROJAN COUNT 


ELDORADO BACKDOOR - PHISHING CAMPAIGN 


MALICIOUS POTENTIALLY UNWANTED APPS 


46 


DRIDEX BANKING TROJAN BY HOSTS 


NETCAT - ROOTKIT/HACKER TOOL 


MALICIOUS POTENTIALLY UNWANTED APPS - BY HOSTNAME 
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Threat Intel Verification / Hunting 


Malware Detection 
EDR - Response Actions 


5ceec909f3dfc890fdd1 e76d6f3cc093465c9d980d68b9987fc3f5eb289b6bd2 
a0c68e476f55d0b7cdd87b1b20a1 e021672eec41 f96e056d6289d8734491f9bb 


Beyond Endpoint Detection and Response: 
How сап | better protect my crown jewels? 


Threat Hunting Assumptions: 

* Every user machine can be compromised - it only takes one click 

* Every Remote Code Execution (RCE) vulnerability can be exploited 

* Local Privilege Escalation and Credential Harvesting to move laterally 
* System misconfigurations are often overlooked and easy to exploit 


* Network segmentation is rarely used or hard to manage (configuration drift) 


All attacks are not equal: can Adversaries reach my Critical Servers? 
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Adversary Lateral Movements (Attack Paths) 


lower Security Tiers higher 


Tier 0 Systems 


User Segments Business Apps / IT Systems Crow lewe 


Q Find systems in higher 
security tiers by looking for 


CJR existing connections or Cd 
network reconnaissance. 


Laterally move to new system by: 

C] — n - Exploiting open vulnerabilities 

— - Take advantage of misconfigurations 
ШЕ” - Use compromised credentials 


O Bad actor compromises a user 


machine (email, phishing, watering © Lateral move te new stem by: 
раш еШ), : - Exploiting open vulnerabilities 
Takes remote control of the machine. - Take advantage of misconfigurations 


- Usecompromised credentials 
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Attack Path Discovery (summer 2020) 


Network Reachability 
Determine connections between hosts using Cloud Agent 
Passive + Active network collection 
Store these connections in a Graph Database for fast query 
+ 


Asset Security Posture 
Remotely Exploitable Vulnerabilities | 
System Misconfigurations VMDR 
Malware, loCs, and Indicators of Activity 
(€) Qualys. 
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Breach Attack & Simulation ~ DASHBOARD ASSETS NETWORK SCANS CONFIGURATION $0u 
Network 
! 
Q Search Last 7 days d 
то п> ш: 
н , 59 А 
^ п a : a 
IT Mgmt Network и; в SWIFT Payment 
т e 
; u 
п m i 
"ú П 
” ` * " 
Datacenter 
3 n °, 
0 
Users n 
в * 
DR 
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Corporate Apps 


Q Search Last 7 days , = 


` 


= 


ж 


e 


di ae .:172.16.201.44 


1721620193. Z 


172162011 
<> 


172.16.201.23 — 172.16.201.56 
172.16.201.68 


⁄ ci 172.16.201.22 
172.16:201.88 
172.16.201.70 a 


1721620131 - 


ci — г 
a pe | shippinglabelApp НМІ:ММ5 

HMI:GE - i 

= 
HR SharePoint - d 
172.16.201.13 172.16.201,99 
cl 
Flex lO 
e 


HP LaserJet 400 MFP M425 Postscript 


00 
172.16.201.93 


tt 


Attack Path Discovery 
for 


Proactive Threat Hunting 
and Response Priority 


© Qualys. Enterprise 


Indication of Compromise ~ DASHBOARD INCIDENTS HUNTING ASSETS RULES 


be 
о 
K 


Hunting 


| > 5ceec909f3dfc890fdd1e76d6f3cc093465c9d980d68b9987fc3f5eb289b6bd2 Active View v | = 


675K 1-50 of 675335 +С, +} 


Total Events 


ME + OBIECT ASSET SCORE DETAILS 
3 minutes ago е WindowsAzureTelemetryService.exe s WIN10PMIOC4 = = 
8:35:03 РМ C:\WindowsAzure\GuestAgent_2.7.41491.949_2019-1... 13.64.103.58,10.1.1.10 
TYPE 
file ane 3 minutes ago = QualysAgent.exe a WIN10PMIOCA zs 
8:35:03 PM А i Я .64.103.58,10.1.1. 
mutex 9.84K C:\Program Files\Qualys\QualysAgent\QualysAgent.exe 13.64.103.58,10.1.1.10 
network 19.4K 3 minutes ago # WmiPrvSE.exe H WIN10PMIOC4 п 
process 3.99K 8:35:03 PM C:\Windows\System32\wbem\WmiPrvSE.exe 13.64.103.58,10.1.1.10 
registry 384K 
3 minutes ago > 125.227.22.242 (125-227-22-242.HINET-IPhi... H EC2AMAZ-Q1M5FIB ü 
EVENT ACTION 8:34:56 PM TCP CONNECTION - ESTABLISHED by svchost.exe 172.31.0.13,13.233.83.82 
created 642K 3 minutes ago Ба 13.82.189.202 : 63733 H EC2AMAZ-Q1M5FIB п 
established 4.65K 8:34:56 PM TCP CONNECTION - ESTABLISHED by svchost.exe 172.31.0.13,13.233.83.82 
listening 14.7K 
jung 13.8K 3 minutes ago 32 fe80::281b:10bb:53e0:fff2%7 : 546 zu EC2AMAZ-Q1M5FIB о | 
8:34:56 РМ UDP CONNECTION - LISTENING by svchost.exe 172.31.0.13,13.233.83.82 
SCORE 3 minutes ago > 64.39.104.103 (qagpublic.qg2.apps.qualys.co... 28 WIN10PMIOCA - 
10 14 8:34:49 PM TCP CONNECTION - ESTABLISHED by QualysAgent.exe 13.64.103.58,10.1.1.10 
9 38 
в 191 3 minutes ago Ж 211.247.115.130 : 57533 a WIN10PMIOCA и 
д 5 8:34:44 РМ TCP CONNECTION - ESTABLISHED by svchost.exe 13.64.103.58,10.1.1.10 
5 121 3 minutes ago 52: 185.209.0.22 : 36585 zu WIN10PMIOC4 ü 
У 1 тоге 8:34:41 РМ TCP CONNECTION - ESTABLISHED by svchost.exe 13.64.103.58,10.1.1.10 


© Qualys. Enterprise 


pe 
© 
K 


Indication of Compromise т DASHBOARD INCIDENTS HUNTING ASSETS RULES 


Hunting 


| УС 5ceec909f3dfc890fdd!e76d6f3cc093465c9d980d68b9987fc3f5eb289b6bd2 Active View | = 
5 1-Sof 5 + Ç +} 


Total Events 


TIME v OBJECT ASSET SCORE DETAILS 
21 hours ago = 66.85.173.57 (tar.theoutlan.com) : 443 eg SHAREPTO003 T Trickbot 
12:58:21 AM TCP CONNECTION - ESTABLISHED by temp0291.exe 172.31.0.111 Trojan 
TYPE 
file 2 а day ago Bl temp0291.exe ag SHAREPTO003 Trickbot 
I 8:19:31 PM c:\Users\qualys\AppData\Roaming 172.31.0.111 Trojan 
mutex 1 
network 1 a day ago P temp0291.exe ea ЅНАВЕРТООЗ Trickbot 
process 1 3:12:28 PM C:\Users\qualys\AppData\Roaming\temp0291.exe 172.31.0.111 Trojan 
EVENT ACTION a day ago m \BaseNamedObjects\4C3D653494D1128 аш SHAREPTO003 Trickbot 
3:02:08 PM temp0291.exe 172.31.0.111 Trojan 
created 2 
established 1 2 days ago B temp0291.exe а. 5НАВЕРТ003 Trickbot 
running 2 11:18:23 AM c:\Users\qualys\AppData\Roaming 172.31.0.111 Trojan 
SCORE 
10 1 
2 
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1721 620119 
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172.16.201.11 


a x ш | 
ce pe /  $hippinglabelApp НМІЗММ5 
HMEGE ӛ I р 
. = 
HR SharePoint ка d 
172.16.201.13 172.16.201,99 
[ш | 
Flex IO 
e 


HP LaserJet 400 MFP M425 Postscript 


00 
172.16.201.93 


tt 


Network Topology List View 


Last 7 days M == 


Y Group Assets by. v 


16 


01.11 


ci c 
Ж). ` shippinglabelApp HMI:MM5 
HMI:GE 
= 4 
T сӯ 
6.201.13 = 
172.16.201.99 

۵ Flex 10 

HP LaserJet 400 MFP M425 Postscript v 


| u | = Е © + — 
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Q Search E 


8» HR SHAREPOINT 
SharePoint 172.31,0.111 
© New York, NY 


ca 
172.16.201.93. 
Ө... 


172:16.201.1 
о. 
=” 


172.16.201.23 7 172.16.201.56 
172.16.201.68 


Tags 
І New York і Corporate Apps [| HR Apps 
I Share Point | 60. day lastscan 


9 


isi] 


г A INFECTIONS (4 Events) 
[m | 172.16.201 £2 


Ses 


Process: temp0294.exe 
Malware: Trickbot | Risk Score: 9 


172.16:201.88 
172.16.201.70 


File: WormDIl64 Н 
Malware: Trickbot | Risk Score: 8 
ci votos | 
shippinglabelApp HMLMN File: NetworkDll64 


Malware: Trickbot | Risk Score; 8 


File: 5һаге01164. 
Malware: Trickbot | Risk Score: 8 


HP LaserJet 400 MFP M425 Postscript 


172.16.201.93 


Site 1 
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Q Search 


cH 172.1@201.44 


9 


isi] 


172.16.201.93. 
Ө... 


172:16.201.1 
о. 
=” 


172.16.201.23 7 172.16.201.56 
172.16.201.68 - 


[m | 172.16.201 £2 

ЕЗ 
172.16:201.88 
172.16.201.70 


ci 


Flex IO 


HP LaserJet 400 MFP M425 Postscript `. 


172.16.201.93 


Site 1 


File: WormDIl64 
ware: Trickbot | Risk 


File: 5һаге01164 
ware: Trickbot | Risk Score: 8 


HR SHAREPOINT 


172.31.0.111 
9 New York, NY 


Tags 
І New York і Corporate Apps 1 HR Apps 
I Share Point 1 60. day lastscan 


A INFECTIONS (4 Events) 


Process: temp0294.exe Quick Menu y| 
ware: Trickbot | Risk Scor 


View Asset Details 
Execute a Response 


Quarantine Host 


File: NetworkDIl64 : 
ware: Trickbot | Risk Score; 8 
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Execute a Response 


The following response will be executed for the selected processes and files on the defined hosts. 


Process (1) 


RISK SCORE PROCESS NAME MALWARE HOST 


au temp0291.exe TrickBot ЅНАВЕРТООЗ 


Ей kill Process ЁЗ Quarantine File 


File Type (3) 


RISK SCORE FILE NAME MALWARE HOST 


М/огт01164 (C:\Users\support\AppData\Roaming) TrickBot SHAREPTO003 


NetworkDII64 (C:\Users\support\AppData\Roaming) TrickBot SHAREPT003 


ShareDIl64 (C:\Users\support\AppData\Roaming) TrickBot SHAREPTO003 


Quarantine File 
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Attack Path Discovery 
to 


Prioritize Patching 
апа 
Improve Security Defenses 
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Network Topology List View 


Last 7 days M == 


Y Group Assets by. v 


16 
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Network 


Q Search Last 7 days Y 
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1721620193. 9 
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172.16.201.23 ^ 172.16.201.56 
172.16.201.68 


E a 172.16.201 £2 
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HR ShpréPoi u сї 
172.16.201.99 


ci 


Flex IO 


HP LaserJet 400 MFP M425 Postscript 


172.16.201.93 


Stet н = o +- 


Vulnerability Remediation Prioritization 


CVSSv2 / CVSSv3 base scores 
Qualys QID Severity score 
Qualys Tagging for Asset Business Criticality 


Qualys Threat Protection Real-Time Indicators 
(based on threat intel and live attacks) 


Qualys VMDR Threat Prioritization 
(Machine Learning model + Contextual Awareness) 


Qualys Attack Path Discovery 
(€) Qualys. 
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Thank You 


Chris Carlson 
ccarlson@qualys.com 


